Description
Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated session identifiers to construct paths that bypass the SESSION_DIR boundary and delete writable JSON files on the host system.
Published: 2026-04-21
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated arbitrary file deletion
Action: Apply Patch
AI Analysis

Impact

Hermes WebUI allows an attacker who has already authenticated to delete arbitrary files on the host system. The flaw resides in the /api/session/delete endpoint where the session_id parameter is not validated for path correctness, enabling absolute or traversal paths to be supplied. This permits removal of writable JSON files located outside the intended session directory, potentially destroying configuration data or other critical files. The vulnerability is a classic absolute path traversal (CWE-22) and results in loss of data integrity and availability.

Affected Systems

The affected product is Hermes WebUI from nesquena. No specific version information is provided in the advisory, but the patch on GitHub and the release notes for tags v0.50.132 and v0.50.32 suggest that these releases contain the fix.

Risk and Exploitability

The CVSS score of 7.2 places the issue in the high‑severity range, and while an EPSS score is not available, the lack of a KEV listing indicates no widespread, known exploitation. A successful exploit requires authenticated access to the API, so the attack is limited to users who can log in to the WebUI. Once authenticated, an attacker can craft a session_id that points to any writable file on the host, leading to file deletion. The risk remains significant for organizations that rely on Hermes WebUI for configuration or data storage.

Generated by OpenCVE AI on April 22, 2026 at 06:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Hermes WebUI to version v0.50.132 or later, which contains the path‑validation fix for the /api/session/delete endpoint.
  • Apply the commit 3cc5839bf303fa6758bfdac538507407a2929655 that was merged in the above release.
  • Restrict access to the /api/session/delete endpoint to only trusted users or network segments, and ensure that the session_id parameter is tightly validated against the session directory boundary.

Generated by OpenCVE AI on April 22, 2026 at 06:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Nesquena
Nesquena hermes-webui
Vendors & Products Nesquena
Nesquena hermes-webui

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated session identifiers to construct paths that bypass the SESSION_DIR boundary and delete writable JSON files on the host system.
Title Nesquena Hermes WebUI Arbitrary File Deletion via Unvalidated session_id
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nesquena Hermes-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-22T18:11:16.142Z

Reserved: 2026-04-21T21:38:22.208Z

Link: CVE-2026-6832

cve-icon Vulnrichment

Updated: 2026-04-22T18:09:08.951Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T22:16:21.040

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-6832

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:53Z

Weaknesses